{"id":6002,"date":"2023-12-04T23:02:06","date_gmt":"2023-12-04T14:02:06","guid":{"rendered":"https:\/\/engineer-chanpu.blog\/?p=6002"},"modified":"2024-05-05T09:58:54","modified_gmt":"2024-05-05T00:58:54","slug":"azure-bicep-targetscope-tenant-%eb%b0%b0%ed%8f%ac-%ea%b6%8c%ed%95%9c-%eb%ac%b8%ec%a0%9c-%eb%ac%b4%eb%a3%8c-azure-%ed%99%98%ea%b2%bd","status":"publish","type":"post","link":"https:\/\/engineer-chanpu.blog\/?p=6002","title":{"rendered":"Azure Bicep: targetScope = ‘tenant’ \ubc30\ud3ec \uad8c\ud55c \ubb38\uc81c"},"content":{"rendered":"\n

tagetScope = ‘tenant’<\/h1>\n\n\n\n

\ubc30\ud3ec \ubc94\uc704\ub97c \ud14c\ub10c\ud2b8(Azure Entra ID, \uc774\uc804 Azure AD)\ub85c \uc9c0\uc815\ud55c \uc774\uc720\ub294, \uac01 \ub9ac\uc18c\uc2a4\ub4e4\uc774 \ub3d9\uc77c\ud55c \uad6c\ub3c5, \ub9ac\uc18c\uc2a4 \uadf8\ub8f9\uc774 \uc544\ub2cc \ub2e4\ub978 \uad6c\ub3c5 \ubc0f \ub9ac\uc18c\uc2a4 \uadf8\ub8f9\uc5d0 \ubc30\ud3ec\ud560 \ud544\uc694\uac00 \uc788\uc5b4\uc11c\uc774\ub2e4. <\/p>\n\n\n\n

\ud604\uc7ac \ucc38\uc5ec\ud558\ub294 \ud504\ub85c\uc81d\ud2b8\uc758 Azure \ud658\uacbd\uc740 \ud558\ub098\uc758 Hub subscription<\/code> \uacfc \uc5ec\ub7ec Spoke subscription<\/code> \uc73c\ub85c \uad6c\uc131\ub418\uc5b4 \uc788\ub2e4. Azure PaaS \uc11c\ube44\uc2a4\ub294 \ub300\uccb4\ub85c Private Endpoint\ub97c \uc0ac\uc6a9\ud558\uba70, Hub subsription\uc758 Private DNS Zone\uc5d0 DNS \ud1b5\ud569(DNS Integration) <\/code> \uc758 \ud544\uc694\uc131\uc774 \uc788\ub2e4.<\/p>\n\n\n\n

\ucd94\uac00\uc801\uc73c\ub85c, \ub124\ud2b8\uc6cc\ud06c \ub9ac\uc18c\uc2a4(ex: virtual network, network security group, private endpoint etc)\ub294 Network \uc804\uc6a9 \ub9ac\uc18c\uc2a4 \uadf8\ub8f9\uc5d0 \ubc30\ud3ec\ud560 \ud544\uc694\uac00 \uc788\ub2e4. \u203b\uba87 \uac00\uc9c0 \ubd80\ubd84\uc5d0\uc11c \uad49\uc7a5\ud788 \ube44\ud6a8\uc728\uc801\uc73c\ub85c \uad00\ub9ac\ud558\uace0 \uc788\ub2e4\ub294 \uc0dd\uac01\uc774 \ub4e0\ub2e4.<\/p>\n\n\n\n

<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\/\/ \uad6c\ub3c5(Subscription)\uc73c\ub85c \ubc94\uc704 \uc9c0\uc815<\/span><\/span>\n<\/span>\ntargetScope<\/span> <\/span>=<\/span> <\/span>'tenant'<\/span><\/span>\n<\/span>\nparam<\/span> <\/span>subscriptionID<\/span> <\/span>string<\/span><\/span>\n<\/span>\n@<\/span>description<\/span>(<\/span>'create resources at subscription level'<\/span>)<\/span><\/span>\nmodule<\/span>  <\/span>'module.bicep'<\/span> = {<\/span><\/span>\n  <\/span>name<\/span>: <\/span>'deployToSub'<\/span><\/span>\n  <\/span>scope<\/span>: <\/span>subscription<\/span>(<\/span>subscriptionID<\/span>)<\/span><\/span>\n}<\/span><\/span>\n<\/span>\n\/\/ \ub9ac\uc18c\uc2a4 \uadf8\ub8f9(Resource group)\uc73c\ub85c \ubc94\uc704 \uc9c0\uc815<\/span><\/span>\n<\/span>\ntargetScope<\/span> <\/span>=<\/span> <\/span>'tenant'<\/span><\/span>\n<\/span>\nparam<\/span> <\/span>resourceGroupName<\/span> <\/span>string<\/span><\/span>\nparam<\/span> <\/span>subscriptionID<\/span> <\/span>string<\/span><\/span>\n<\/span>\n@<\/span>description<\/span>(<\/span>'create resources at resource group level'<\/span>)<\/span><\/span>\nmodule<\/span>  <\/span>'module.bicep'<\/span> = {<\/span><\/span>\n  <\/span>name<\/span>: <\/span>'deployToRG'<\/span><\/span>\n  <\/span>scope<\/span>: <\/span>resourceGroup<\/span>(<\/span>subscriptionID<\/span>, <\/span>resourceGroupName<\/span>)<\/span><\/span>\n}<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
\uadf8\ub798\uc11c targetScope<\/code>\ub97c \uc190\ubd10\uc57c \ud558\ub294\ub370, \uae30\ubcf8\uc801\uc73c\ub85c \ubc94\uc704\ub97c \uc9c0\uc815\ud558\uc9c0 \uc54a\ub294 \uacbd\uc6b0\uc5d0\ub294 \ub9ac\uc18c\uc2a4 \uadf8\ub8f9 \ubc94\uc704\uac00 \uc790\ub3d9\uc801\uc73c\ub85c \uc801\uc6a9\ub41c\ub2e4. <\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
az<\/span> <\/span>deployment<\/span> <\/span>group<\/span> <\/span>create<\/span> <\/span>--template-file<\/span> <\/span>.\/main.bicep<\/span> <\/span>--parameters<\/span> <\/span>.\/main.bicepparm<\/span> <\/span>--resource-group<\/span> <\/span>myResourceGroup<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
Tip. \uc704\uc640 \uac19\uc774, \uae30\ubcf8\uc801\uc73c\ub85c Bicep \ucf54\ub4dc\uc5d0 \uae30\uc7ac\ub41c \ub9ac\uc18c\uc2a4\ub294 \ub2e8\uc77c \ub9ac\uc18c\uc2a4 \uadf8\ub8f9\uc5d0 \ubc30\ud3ec\ud558\ub3c4\ub85d \uc9dc\uc5ec\uc838 \uc788\ub2e4.<\/em><\/p>\n\n\n\n
<\/div>\n\n\n\n
Error: \uad8c\ud55c \ubd80\uc5ec \uc2e4\ud328<\/h2>\n\n\n\n
Bicep \ud30c\uc77c\uc744 \uc0ac\uc6a9\ud558\uc5ec \ud14c\ub10c\ud2b8 \ubc30\ud3ec<\/a><\/p>\n\n\n\n
\ubc30\ud3ec\uc5d0 \ud544\uc694\ud55c \uba85\ub839\uc5b4 \ubc0f \uad8c\ud55c\uc744 Microsoft Azure \uc758 \ubb38\uc11c\ub97c \ud1b5\ud574 \ud655\uc778\ud560 \uc218 \uc788\uc5c8\ub294\ub370, \ubb38\uc81c\ub294 \uc5d0\ub7ec\uac00 \ubc1c\uc0dd \ud588\ub2e4.<\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
 <\/span>C:\\Users\\xxxx\\OneDrive\\Vscode\\azure-bicep><\/span> <\/span>az<\/span> <\/span>role<\/span> <\/span>assignment<\/span> <\/span>create<\/span> <\/span>--assignee<\/span> <\/span>"xxxxxx-xxxxxx-xxxxxx-xxxxxx"<\/span> <\/span>--scope<\/span> <\/span>"\/"<\/span> <\/span>--role<\/span> <\/span>"Owner"<\/span>                                                             <\/span><\/span>\n<\/span>\n(<\/span>AuthorizationFailed<\/span>) The client <\/span>'live.com#xxx@xxx.xxx'<\/span> with object id <\/span>'xxxxxx-xxxxxx-xxxxxx-xxxxxx'<\/span> does not have authorization to perform action <\/span>'Microsoft.Authorization\/roleAssignments\/write'<\/span> over scope <\/span>'\/providers\/Microsoft.Authorization\/roleAssignments\/xxxxxx-xxxxxx-xxxxxx-xxxxxx'<\/span> or the scope is invalid. If access was recently granted, please refresh your credentials.<\/span><\/span>\n<\/span>\nCode:<\/span> <\/span>AuthorizationFailed<\/span><\/span>\n<\/span>\nMessage:<\/span> <\/span>The<\/span> <\/span>client<\/span> <\/span>'live.com#xxx@xxx.xxx'<\/span> <\/span>with<\/span> <\/span>object<\/span> <\/span>id<\/span> <\/span>'xxxxxx-xxxxxx-xxxxxx-xxxxxx'<\/span> <\/span>does<\/span> <\/span>not<\/span> <\/span>have<\/span> <\/span>authorization<\/span> <\/span>to<\/span> <\/span>perform<\/span> <\/span>action<\/span> <\/span>'Microsoft.Authorization\/roleAssignments\/write'<\/span> <\/span>over<\/span> <\/span>scope<\/span> <\/span>'\/providers\/Microsoft.Authorization\/roleAssignments\/xxxxxx-xxxxxx-xxxxxx-xxxxxx'<\/span> <\/span>or<\/span> <\/span>the<\/span> <\/span>scope<\/span> <\/span>is<\/span> <\/span>invalid.<\/span> <\/span>If<\/span> <\/span>access<\/span> <\/span>was<\/span> <\/span>recently<\/span> <\/span>granted,<\/span> <\/span>please<\/span> <\/span>refresh<\/span> <\/span>your<\/span> <\/span>credentials.<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
\ubb38\uc81c\uc810 \ud655\uc778 \ubc0f \ud574\uacb0 \ubc29\ubc95<\/h2>\n\n\n\n
\"\"
\uad00\ub9ac\uc790 \uacc4\uc815 Global Administrator<\/code><\/figcaption><\/figure>\n\n\n\n
<\/div>\n\n\n\n
Microsoft Learn \ucc38\uace0<\/h3>\n\n\n\n
Bicep\uc744 \uc0ac\uc6a9\ud558\uc5ec \ud14c\ub10c\ud2b8\uc5d0 \ub9ac\uc18c\uc2a4 \ubc30\ud3ec: \ud544\uc694\ud55c \uc561\uc138\uc2a4<\/a><\/p>\n\n\n\n